#!/bin/bash 
set -e


TMP=${TMP:-/tmp/work}
LOG=${LOG:-$HOME/logs/stage4}
SRC=${SRC:-/sources}

name=shadow
version=4.8.1

rm -rf $TMP
mkdir -p $TMP $LOG

tar xf $SRC/$name-$version.tar.xz -C $TMP

{ time \
   {

    cd $TMP/$name-$version
    
	sed -i 's/groups$(EXEEXT) //' src/Makefile.in

	find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \;
	find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \;
	find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \;

	sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
	    -e 's@/var/spool/mail@/var/mail@'                 \
	    -i etc/login.defs

	sed -i 's/1000/999/' etc/useradd

	./configure --sysconfdir=/etc --with-group-name-max-length=32
	make

	make install

	sed -i 's/yes/no/' /etc/default/useradd

	install -v -m644 /etc/login.defs /etc/login.defs.orig &&
	for FUNCTION in FAIL_DELAY               \
	                FAILLOG_ENAB             \
	                LASTLOG_ENAB             \
	                MAIL_CHECK_ENAB          \
	                OBSCURE_CHECKS_ENAB      \
	                PORTTIME_CHECKS_ENAB     \
	                QUOTAS_ENAB              \
	                CONSOLE MOTD_FILE        \
	                FTMP_FILE NOLOGINS_FILE  \
	                ENV_HZ PASS_MIN_LEN      \
	                SU_WHEEL_ONLY            \
	                CRACKLIB_DICTPATH        \
	                PASS_CHANGE_TRIES        \
	                PASS_ALWAYS_WARN         \
	                CHFN_AUTH ENCRYPT_METHOD \
	                ENVIRON_FILE
	do
	    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
	done

	cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional    pam_faildelay.so  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite   pam_nologin.so

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required    pam_securetty.so

# Additional group memberships - disabled by default
#auth      optional    pam_group.so

# include system auth settings
auth      include     system-auth

# check access for the user
account   required    pam_access.so

# include system account settings
account   include     system-account

# Set default environment variables for the user
session   required    pam_env.so

# Set resource limits for the user
session   required    pam_limits.so

# Display date of last login - Disabled by default
#session   optional    pam_lastlog.so

# Display the message of the day - Disabled by default
#session   optional    pam_motd.so

# Check user's mail - Disabled by default
#session   optional    pam_mail.so      standard quiet

# include system session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login
EOF

	cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd
EOF

	cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su
EOF

	cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

# always allow root
auth      sufficient  pam_rootok.so

# include system auth, account, and session settings
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required    pam_permit.so

# End /etc/pam.d/chage
EOF

	for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
	               groupmems groupmod newusers useradd userdel usermod
	do
	    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
	    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
	done

	[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}

	[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}

    }
} 2>&1 | tee $name.log
    
[ $PIPESTATUS = 0 ] && mv $name.log $LOG || exit $PIPESTATUS

rm -fr $TMP
